Caution urged in wake of RSA security breach

Jaikumar Vijayan |
March 19, 2011

No need for panic, but keep eye on RSA products, analysts say

Pescatore dismissed RSA's claim that it was the victim of a sophisticated Advanced Persistent Threat (APT) attack, a kind of low, slow highly targeted attack most commonly associated with Chinese hackers.

RSA's claim is "disingenuous," Pescatore said. "It is trying to deflect attention from RSA's failure to protect their systems. Any security company with any threat experience has been dealing with targeted threats for several years."

SecurID is a proprietary algorithm that is designed to produce random numbers in a pre-determined sequence, according to a description of the technology by the Intrepidus Group. The sequence is used by an RSA authentication server to essentially validate that a person logging in, actually has the token in their possession, Intrepidus said in a blog post today .

Each token features a "seed" that determines the sequence of 6-digit numbers generated by that token. The seed ensures that the numbers are produced in a sequence that is unique to each token. The SecurID algorithm ensures that there are literally an infinite number of potential sequences that can be generated by each token, making them almost impossible to crack, says Intrepidus.

Even so, there are circumstances under which this assurance can be weakened, Intrepidus noted. One example is where an attacker somehow manages to get a list of all seeds and their associated token serial numbers. Another scenario is if attackers manage to get a list of seeds and the corporations to which they have been assigned.

The worst case scenario is if hackers found any documentation showing an inherent weakness in the algorithm that would allow them to generate valid pass codes for hardware and software tokens, said Jeremy Allen, principal consultant with Intrepidus.

"Unless something is fundamentally broken there is no need to panic", Allen said.

Aleksandr Yampolskiy, director of security and compliance at Gilt Groupe, said that even if the hackers had managed to steal the SecurID algorithm, pulling of attacks will still remain very hard.

"Even if details of the pseudo-random number generator are advertised to the world, unless the seeds plus [the token holder's passwords] are revealed," attacks are not possible, he said.

"The individual customer passcodes are stored on servers in individual companies -- not in RSA," Yampolskiy said. "So hackers should not be able to get access to these."

"I would recommend people follow general security recommendations," Yampolskiy said. In addition to ensuring strong password and PIN policies companies should also ensure their critical systems are properly patched.